.TH "nnrpdlimit" "1" "0.7.7" "Paolo Amoroso" "NNTP Programs"
.SH "NAME"
.LP 
nnrpdlimit \- Resources limiting program for nnrpd
.SH "SYNTAX"
.LP 
nnrpdlimit [ \fI\-f\fP <\fIfile\fP> \fI\-t\fP <\fIseconds\fP> \fI\-e\fP <\fIseconds\fP> \fI\-p\fP <\fIseconds\fP> \fI\-g\fP <\fIseconds\fP> \fI\-a\fP <\fIconnections\fP> \fI\-r\fP <\fIKBytes\fP> \fI\-s\fP <\fIsyslog_facility\fP> \fI\-q\fP <\fIfile\fP> \fI\-D\fP ]
.br 
nnrpdlimit \fI\-X\fP
.br 
nnrpdlimit \fI\-h\fP
.br 
.SH "DESCRIPTION"
.LP 
InterNetNews isn't shipped with any builtin method to limit the system resources that \fBeach single instance\fR of nnrpd is able to allocate. With modern internet connections, malicious users are easily able to consume a lot of system resources simply keeping the server busy with strange, useless or repetitive queries if some external program doesn't prevent them from doing this. nnrpdlimit is a daemon that checks on regular, user defined bases (flag \fB\-t\fR) whether each nnrpd instance is consuming too much RAM (\fB\-r\fR), CPU time (\fB\-g\fR) or is trying to keep alive a connection with the server for a too long time (\fB\-p\fR). It's also able to block all clients that try to establish many concurrent connections with different ports (ie. plain text and SSL) at the same time. If an nnrpd instance exceeds one of these limits, nnrpdlimit kills it and the source IP address is written in a file choosen through \fB\-f\fR, usually /etc/hosts.deny, using the standard tcpd format suitable for being used by all programs built with TCPD support (notably \fBxinetd\fR). nnrpdlimit is also able to remove from that file each banned IP address after an user defined (\fB\-e\fR) amount of time. 
.br 
Since neither INND nor nnrpd have got builtin support for tcpd, in order to use nnrpdlimit is needed some external superserver like xinetd (recommended) or rlinetd. 
.br 
\fBBeware:\fR if the new nnrpd instances are spawned by innd \- which is the default behaviour of InterNetNews \- nnrpdlimit becomes \fBcompletely useless\fR because innd doesn't read /etc/host.* files before deciding whether each client has the right to connect. People who have got two IP addresses can simply configure their site in order to use an address handled by xinetd for the clients and an IP directly managed by innd for the NNTP regular feeds. Those who have got a single IP address have to configure innd in order to bind the port number \fB443\fR instead of 119 than they've to assign the standard NNTP port to xinetd. The following example shows how to configure xinetd.conf in order to properly spawn nnrpd when a client tries to query the server.

service nntp
.br 
{
        socket_type         = stream
        wait                = no
        disable             = no
        nice                = \-5
        user                = news
        server              = /usr/lib/news/bin/nnrpd
        server_args         = \-n \-s PPPPPPPPPPPPPPPPPPPPP
        port                = 119
        per_source          = 2
        max_load            = 10
        rlimit_cpu          = 60   
.br      
}

\fBBeware\fR: in order to use nnrpdlimit, nnrpd \fBmust\fR be executed by xinetd with the flags \fB\-n\fR and \fB\-s PPPPPPPPPPPPPPPPPPPPP\fR. They're both mandatory.
.br 
nnrpdlimit is a perl script that requires \fBa modern \fILinux\fR kernel\fR (>2.6.0) with \fBprocfs\fR enabled and must be executed by \fBroot\fR.
.br 
.SH "OPTIONS"
.LP 
.TP 
\fB\-f\fR <\fIfile\fP>
This flag sets which file has to be used by nnrpdlimit in order to save the list of banned addresses. The default value is \fB/etc/hosts.deny\fR that is probably the right one. 

.TP 
\fB\-t\fR <\fIseconds\fP> 
The amount of seconds between checks is set through the flag \fB\-t\fR. The default value is \fB600\fR seconds. Small sites could use larger values. 

.TP 
\fB\-e\fR <\fIseconds\fP>
After being banned each host can't reach the server for the amount of seconds set by \fB\-e\fR. When nnrpdlimit makes each periodical check, it cancels all records that are older than the number of seconds set by this flag. The default value is \fB86400\fR seconds, one day: a day after being banned all clients get again the access right.

.TP 
\fB\-p\fR <\fIseconds\fP>
How many seconds each client can stay consecutively connected is set by the flag \fB\-p\fR. If a client keeps alive a connection for an amount of seconds larger than the one set here, his IP address is banned for the amount of time set by \fB\-e\fR. Default value is \fB10800\fR, 3 hours. Shorter times can often result in false positive matches, longer ones are probably useless.

.TP 
\fB\-g\fR <\fIseconds\fP>
How much \fBCPU time\fR each instance of nnrpd is authorized to spend is set by the flag \fB\-g\fR. If a client consumes an amount of CPU time lager than the one set here, his IP address is banned. The right value depends by the spool size since more articles require more CPU time in order to be processed. Default value is \fB6\fR seconds that is probably enough high for a text only USENET server.

.TP 
\fB\-a\fR <\fIconnections\fP>
xinetd is able to set a maximum number of concurrent connections that a single host can establish with a \fBsingle local port\fR but there's no way to set an overall maximum number of simultaneous connections that each IP address is authorized to open. If a news server listens on various ports \- ie. nntp, nntps, http and https \- each client gains the rights to open a large number of concurrent connections and this can make easy to flood the site. The flag \fB\-a\fR sets the maximum \fBtotal\fR number of connections that each IP address can establish with the news server regardless the server's port (and IP address) choosen by the client. Default value is \fB2\fR, an alternative option could be \fB4\fR. The value used here should always be the same set by \fBper_source\fR xinetd statements. 

.TP 
\fB\-r\fR <\fIKBytes\fP>
How many Kbytes of RAM each nnrpd instance is authorized to allocate is set by the flag \fB\-r\fR. The default value is \fB40000\fR KB that is an enough value for text only USENET servers. 

.TP 
\fB\-q\fR <\fIFile\fP>
Where nnrpdlimit has to save his pid is set by \fB\-q\fR. Default value is \fB/var/run/nnrpdlimit.pid\fR that is the right one for Debian based sites. Beware: the argument is a \fBfull path of a file\fR not a directory or a single file.

.TP 
\fB\-s\fR <\fISyslog_facility\fP>
Which syslog facility nnrpdlimit has to use for logging is set by \fB\-s\fR. Default is \fBnews\fR.

.TP 
\fB\-D\fR
Usually nnrpdlimit runs in background. If the flag \fB\-D\fR is given, nnrpdlimit will run in foreground without detaching itself.

.TP 
\fB\-X\fR
Kill an already running instance of nnrpdlimit. This flag is mostly used during the shutdown process in order to gracefully terminate nnrpdlimit.

.TP 
\fB\-h\fR
Show a simple help screen.
.SH "FILES"
.LP 
\fI/etc/hosts.deny\fP 
.br 
\fI/etc/xinetd/xinetd.conf\fP 
.SH "EXAMPLES"
.LP 
Aioe.org (a public news server) current configuration
.LP 
nnrpdlimit \-g 4 \-r 25000 \-a 2 \-t 300 \-p 7200
.LP 
A smaller server could use
.LP 
nnrpdlimit \-t 900
.SH "AUTHORS"
.LP 
Paolo Amoroso (Aioe) <freedom@aioe.org>
.SH "SEE ALSO"
.LP 
nnrpd(1), xinetd.conf(5), hosts_access(5) 
